7 Strategies to Comply with GDPR (II)
We continue with the presentation of the strategies of complying with the General Data Protection Regulation. The first part of the article is available here.
4. Setting the Terms for the Cooperation with the Third Parties
The provisions of GDPR are not applied exclusively to a company that processes personal data, but also to third parties with which the respective company cooperates or conducts exchanges of (user) information. Now it is the perfect opportunity for any company to revise all the third party contracts and make sure that
they are GDPR compliant. The third parties have to disclose their internal strategies regarding the processing and storage of the user data, so that there should be permanent transparency in respect of the circulation and transfer of personal information.
5. Respecting the “Right to be Forgotten”
Once the user ceases to use the services of an operator, or just at any time at the user’s request, the company has to make sure that they follow correctly the procedure of deleting the personal data. If there are no legal grounds to keep the personal information or refuse the deletion of the same, the company should answer the user’s request within 30 days. In practice, this presupposes that each enterprise should have the infrastructure and systems necessary to allow such processes.
6. Creating Separate Information Storage Systems
In line with the principle of correct organization of data, many companies have started to implement a centralized system to store all the user data, with separate applications that access only the necessary information. In practice, this would presuppose that the various applications/departments of the company (HR, Marketing, Sales, etc.) should process only a certain set of data, thus reducing the possibility of compromising or leaking data. This is a security protocol similar to the “token” system in online banking. Although initially this method might seem expensive, in the long run it will significantly reduce the potential costs and risks.
7. Efficient Measures to Avoid Sanctions
The consequences of not complying with the provisions of GDPR are extreme and may lead to actual bankruptcy in some severe cases. Fines can get up to EUR 20 million or 4% of the annual income, which is the highest. One of the most efficient methods of avoiding such drastic sanctions has to do with an organized data record keeping, notifying the relevant or supervisory authorities in respect of any breach, or impact analyses in case of non-compliance. In principle, all the above strategies may contribute to mitigating or eliminating the risks of leakage or improper handling of personal information and, implicitly, the risks of fines.
Over the last decade, I've built my professional life as an investor, focusing on 3 key areas: financial services, real estate and tech startups. I’ve participated in the setup and development of two major fintechs, and after those two successful exits I’m now directing my resources into building a new enterprise in this area – the Key Way group.
I've started, participated in and developed companies in Romania, as well as Bulgaria, Hungary, Czech Republic, Germany, the UK, Mexico, Dubai and South East Asia. I'm constantly looking for new segments, new markets and new opportunities, and therefore I interact regularly with the regulator institutions and official agencies in various countries and markets.
The most recent example is the GCC area (Gulf Cooperation Council - Bahrain, Kuwait, Oman, Qatar and the United Arab Emirates, and Saudi Arabia). I started to research opportunities in that area at the end of 2018 - more specifically, the United Arab Emirates, which are establishing themselves as one of the most dynamic markets in the world.
The whole experience of working with the official institutions there was a great example of how to attract and encourage investors! ADGM, the Abu Dhabi Global Markets regulator, was established quite recently and I was absolutely impressed with their professionalism.
To start off, I researched the local market regulators online. The information was clear and easily available: I contacted them online, via their website and LinkedIn accounts. They responded promptly, and in only a few days, we set up a series of meetings with the financial markets regulators in both Abu Dhabi and Dubai!
The ADGM gave me full support and very clear, detailed information on what and how I need to do to obtain a trading licence in financial services in the UAE. I met with representatives from both the ADGM registration department (where all new businesses have to register before they acquire a licence for online trading) and from the FSRA (Financial Services Regulatory Authority).
They were very clear on the procedure, steps to follow and criteria we need to meet, which is a fantastic help for an investor on a new, highly regulated financial market.
In a few days I started the onboarding procedure - everything happens online, everything is digital, everything is set up for maximum ease and transparency.
They set investors up for success, but they make sure they vet them thoroughly as well! A "user friendly" approach does not mean lower standards, quite the opposite - they made sure I meet all commercial and business criteria, they assessed my financial, capital and business status and previous experience, and checked references from markets in which I operated previously.
We went through a process of very rigorous assessment and due diligence, and several meetings where I detailed our business plan and long term vision. Professional but friendly - you feel welcome, encouraged and supported as an investor.
Furthermore, their “enthusiasm”, or appetite for new business, equaled mine! They’re happy to welcome new businesses, they work hard to attract them and to set them up for success. I was very impressed that they genuinely appreciate the fact that investors, however big or small, choose their market to set up a company.
I’d love to see this same level of energy, hard work and appetite for business in my home country, Romania.
While other jurisdictions welcome investors and work hard to create the framework for development and success, I often feel that the Romanian regulators, for financial markets and not only, start from a default position of suspicion or, at best, indifference. Investors are regarded with thinly veiled (if at all veiled!) suspicion and distrust and sometimes downright hostility, you almost feel guilty or embarrassed to be successful financially.
I hope to see this mentality change in Romania, because I, as well as most Romanian entrepreneurs I know, really want to make our country a top choice for investments, not just in outsourcing and services. We want to make Romania known for its know how and creativity.
I think Romanian regulators should remember that their whole purpose of existence is to enable business, not hinder it. And as investors, especially once we see best practices from other jurisdictions, we need to remind them of this reality.
- Fintech OS - B2B services and TaaS enabling automation for financial services. The fact that this is a Romanian company that has achieved such rapid growth proves that (to paraphrase) geography is not destiny. Their experience is inspiring.
- Fagura - P2P Lending. Although Fagura is actually coming from Moldova, they are present in Romania. This is a friendly peer-to-peer platform, modelled on UK similar companies. I think it has good potential for success.
- Smart dreamers – a platform for recruitment marketing automation, they’re already in the UK, the US, and Singapore, with enterprise-ready software that helps companies reach and engage with potential candidates online.
- Medjobs – this is a platform for recruitment and jobs in the healthcare sector. I like their focus and the fact that they’ve honed in on this very specific opportunity, as it is a very dynamic niche and was generally very fragmented.
- Typing DNA – such an original idea! They’ve developed an app for typing biometrics authentication – recognizing people from the way they type, this is an AI-based solution for risk-based authentication and fraud prevention.
- Competitors.app – a very useful and comprehensive app for monitoring competitors’ marketing activity across online channels.
- Finqware – this was badly needed in Romania, since most companies and people have several bank accounts and they need a centralized dashboard for their finances.
- Keez – A user-friendly alternative to accounting, payroll, and ERP software.
- Teleport HQ - An AI powered platform and suite of open source tools which simplifies UI building and adds realtime optimisations by analysing user's intentions.
- Cyscale - a Multi-Cloud Platform, for all major providers like Amazon, Google and Microsoft, which handles Cloud Native Security, Threat management and Secure Cloud Design.